• Facebook Icon Link
    • Instagram Icon Link

    How to Secure a WordPress Website.

    how to secure a wordpress website

    How to Secure a WordPress Website Tutorial Overview.

    This tutorial is all about increasing the security of your WordPress website so the hackers will stay away. I will go over why it’s so important to enforce website security, some of the reasons hackers want to hack your website and 11 steps you can take today to secure your WordPress website.


    Why is WordPress Security Important?

    Have you ever thought about the possibility of your WordPress website getting hacked? Do you run a membership or eCommerce website that stores user data? No matter what type of WordPress website you have, it is massively important to keep it secure. WordPress is the most popular CMS in the world making it an excellent target for hackers. Google blacklists tens of thousands of websites every day for malware and phishing hacks. With just a little bit of work, you can secure your WordPress site and greatly reduce the chance of being hacked.

    ithemes secure wordpress website banner

    Why Would Someone Want to Hack My Website?

    There are many reasons hackers want to gain access to your website. Here are just a few:

    To Steal Your Data.

    If you operate an eCommerce or membership website, you are storing a lot of different types of data. Hackers are looking for banking and credit card data, user’s passwords and any other personal information they can get their hands on. If you store customer data, it is your responsibility to protect it to the best of your ability.

    Phishing Scams.

    One of the most interesting hacks I have seen was from a client who was complaining about strange things happening on their website. Upon inspection, I found a directory on their server where a hacker had set up a fake Discover Card website. On the front-end, it looked just like the real website. The hacker was sending out mass emails to people warning that their Discover Card accounts had been compromised and that they would need to click on a link to recover their account. When they clicked on the link, they were sent to the fake Discover Card website. They were then prompted to enter information like their account number and social security number among other things. All of this data was being sent to the hacker’s Gmail account. Integrating proper security measures will greatly reduce the risk of hackers setting up phishing scams on your website.

    Placing Backlinks to Increase Their SEO.

    Hackers can exploit the good reputation and long-standing record of your website to increase the SEO scores of their website. If they are able to get access to your site, they can place links directed back to their website which will increase their SEO ranking. It takes a lot of time and effort to establish your website’s ranking and reputation so don’t let it all be ruined by hackers with harmful intent.

    Crypto Jacking.

    This exploit is a fairly new one when it comes to hacking websites. Crypto Jacking is where a cryptocurrency miner embeds a script on a website that hijacks the user’s browser or computer to mine cryptocurrency. Mining cryptocurrency is very resource-intensive so this can cause performance issues and cost you a fair amount of money if not caught in a timely manner.

    Just to be a Prick.

    A denial-of-service attack (DoS) happens when a hacker overloads a web server with traffic until the website or application crashes. This makes it impossible for legitimate users to access the website. These attacks typically don’t result in a loss of data but they can cost you a significant amount of money due to a loss in website traffic and the time it takes to repair the problem and your reputation.

    backup buddy stash banner

    What Can I Do to Secure My WordPress Website?

    Here are 11 steps you can take to secure your WordPress website.

    Keep Everything Updated. . . Always.

    WordPress is open-source software. This means anyone and everyone is free to view, edit and modify the WordPress core code. There are also tens of thousands of open-source themes and plugins that can be integrated with WordPress. WordPress is constantly updating and improving the code as are the thousands of independent developers of the many themes and plugins. The reason for the constant updates is not only to improve the overall platform but to fix security vulnerabilities as they arise. It is crucial that you keep all themes, plugins and the WordPress core as up to date as possible. For an in-depth look at updating WordPress check this out: Why it’s Important to Update WordPress.

    Use a Good WordPress Hosting Company.

    Using a quality web host is extremely important. In the same way that you must keep your website updated, it is just as important for your hosting company to keep their web servers up to date and free of security vulnerabilities. Quality hosting companies like Kinsta, SiteGround and BlueHost understand the importance of this and offer specialized WordPress hosting with some of the most secure web servers available. These companies offer very affordable plans and they are well worth the investment.

    bluehost secure web hosting ad
    kinsta secure wordpress hosting ad
    siteground secure wordpress hosting ad

    Install a WordPress Security Plugin.

    A high-quality security plugin is absolutely essential if you want to secure your WordPress site. These are just a few benefits of a good security plugin:

    • Brute Force Attack Protection.
    • Malware Scanning.
    • File Change Detection.
    • Two-Factor Authentication.
    • Google reCAPTCHA integration.
    • Strong Password Enforcement.
    • Hide the Admin & Login URL.
    • Protect Comment Spam.
    • Scheduled Backups.

    A high-quality WordPress security plugin will make it easy to keep your site secure and will give you peace of mind knowing that your website and all of its data is secure. It will build trust with your clients by showing them you care about their privacy and they will know that their data is safe. Personally, I have been using iThemes Security Pro for the majority of my clients for a long time and I can honestly say that none of my client’s websites have ever been compromised while using this plugin. It is a fantastic security solution for any WordPress website and very affordable. Sucuri is also a highly trusted WordPress security solution that I have used in the past.

    Use an SSL Certificate.

    Lately, there has been a lot of attention given to the fact that Google is penalizing website rankings for not having an SSL certificate. Yes, SEO is a great reason to use SSL on your website but the intended reason for using SSL is to maintain a secure connection between the browser and your website. Without SSL protection you are open to a man-in-the-middle attack. This is when a hacker intercepts data while it is being passed from your website to the server and back. SSL will encrypt this data so it is useless to the hacker. Take a deeper look into SSL: How to Install a Free SSL Certificate.

    Limit Login Attempts.

    By default, WordPress doesn’t limit the number of times someone can attempt to login to your website. By limiting the number of failed login attempts on your website, you are greatly reducing the possibility of becoming the victim of a brute force attack. This type of attack happens when a hacker tries to guess your username and password using a program that attempts to log in to your website using thousands of different combinations of characters until they find the one that works. I have read that any modern computer with the right software can crack an eight-character alphanumeric password in less than three hours. When you put a limit on the number of failed login attempts on your website it will lockout that person for a specified length of time making a brute force attack very difficult. This demonstrates the importance of the next topic, using strong passwords.

    Use Strong Passwords.

    When you set up a password in WordPress, it recommends that you use a strong password but it is not mandatory. I understand how convenient it is to use an easy-to-remember password, but is it really worth the risk? I recommend a password that is at least 12 characters long consisting of a combination of uppercase letters, lowercase letters, numbers, and special characters. Do not use the greater than or lesser than symbols in your passwords as they can cause issues in some browsers. If you have a membership or eCommerce website it is very important to require strong passwords for all of your users as well. It is also a good practice to change your passwords every three to six months. Here is a list of the most common passwords:

    • 123456
    • 123456789
    • qwerty
    • password
    • 111111
    • 12345678
    • abc123
    • 1234567
    • password1
    • 12345
    • sunshine
    • iloveyou
    • princess


    Use Two-Factor Authentication.

    Two-factor authentication is a two-step process that requires you to login with a username and password and then you must pass an additional authenticate step by entering a code sent by email, from an application or that has been pre-assigned to you. Google makes an app that works very well for this called Google Authenticator. Many high-quality security plugins like iThemes Security Pro have this capability built-in. There are also other plugins available like Google Authenticator by miniOrange and Wordfence.

    Change Your Database Prefix.

    Changing your database prefix is a good way to protect your database from an attack. WordPress uses a default prefix of wp_ but you are able to change this if you like. Whenever you are working with a database it is extremely important that you back it up before any modifications in case you need to revert. I recommend only editing the prefix upon the initial install of the website unless you are comfortable working with SQL queries and databases. If you want to change it on an existing website here are instructions: How to Change the WordPress Database Prefix. Please proceed with caution and back up your database before you start. If done incorrectly, this will break your website.

    Use the Latest Version of PHP.

    PHP is the programming language that WordPress is written in. According to WordPress.org, over 70% of WordPress websites are running on a version of PHP that is past its end of life. This is a major security risk and if you are one of the 70%, you really need to consider upgrading the PHP version your website is running on. If you have a hosting account with cPanel, this is as easy as clicking a button but be aware before you make this change. Updating PHP can cause parts of your website or your entire website to break so I recommend doing this in a development environment and fully testing the change before going live.

    Remove All Unused Themes & Plugins.

    It is quite common while developing a WordPress website to install and test various themes and plugins until you figure out which ones are going to work best. When it’s finally time to go live with the website there may be a number of unused themes and plugins still installed on the site. It is very important that you delete all of the unused plugins and only leave one backup theme installed. Just because you are not using a plugin doesn’t mean that a hacker can’t use it to their benefit. This practice will also help keep your website as lean as possible. If you’re not using it, delete it.

    Backup Your Website.

    I can’t overemphasize the importance of this step. You should always keep an up to date backup of your website in a location that is not on your web server. I back up all of my client’s websites once a week in a secure, off-site location. You can take all of the security precautions in the world but nothing is 100% certain. If your website is compromised beyond recovery, you should always have a full copy of it in case you need to install a clean copy. It is important to keep it in a different location than your web server because if everything is wiped out, your backup is going to be gone as well. If it is off-site, it is safe.

    updraft plus logo
    backup buddy stash
    manageWP logo

    I have been using Backup Buddy for a long time for most of my clients. It is a great backup solution, possibly the best, and I have never had any issues or problems in any way with it. There are many other backup solutions available like ManageWP and UpdraftPlus.

    If you enjoyed this tutorial about how to secure a WordPress website, check out my other tutorials and reviews @ TwentySixForty.


    Additional Posts.

    Pin It on Pinterest

    Share This